The Ryuk ransomware operators have organized one of the most prevalent threat groups over the past year. Recent research shows how their methods are advancing.

The operators showed preference to hosts with exposed remote desktop connections by using phishing emails as an initial entry to deliver their malware. To find and exploit these exposed RDP hosts, Ryuk operators are using brute force and spray and pray tactics. They have also been observed using the BazaCall campaign to spread malware through call centers where targeted entities are directed to open excel documents containing malware.

Ryuk’s operators then conduct reconnaissance in two different phases. First to find out where the most valuable data and information is located within a compromised environment. Secondly, they find out the yearly revenue of their victim to ensure the ransom demand they request is feasible for the particular organization. Further steps involve using Cobalt Strike to expose general antivirus and endpoint detection and response tools to aide Ryuk in evading them.

More recent techniques show the operators utilizing KeeThief which is an open-source tool that can extract credentials from password managers. KeeThief extracts vital information from the memory of a running process with an unlocked database. When they are able to obtain the credentials of local administrators, they can work their way around defenses controlled by those administrators.


Ryuk’s operators mainly exploit older vulnerabilities that have available patches. Engaging with a security firm such as SpearTip will allow your organization to stay ahead of these threats with patch management and continuous monitoring. Our certified engineers work around the clock to make sure our clients and partners are protected from malicious cyber threats. Not only can we respond to threats instantly, but we can spot them out and neutralize them before they do any harm to your business. Ryuk’s techniques are ever-evolving, so this means defenses have to evolve simultaneously and our team takes pride in learning every day to mitigate these threats.

Our team will continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been breached, call our Security Operations Center at 833.997.7327.